This news answers a bunch of questions I’ve had.
I’ve got an Instagram burner I literally never use. Never clicked weird links, never logged in anywhere sketchy, so a phishing compromise makes zero sense. If my info got out, it likely came from Instagram’s side, not mine.
What’s interesting is the timing pattern. I started getting “reset your password” emails in early 2023, then they’d come in waves. It feels like the creds were getting resold and different people were taking turns running the same list. The emails were in different languages too, which tracks with whoever was firing off the requests.
Got another reset attempt a couple days ago. Congrats to the latest buyer: you bought pure schwag. Whatever value was in that list got milked long before it ended up public.
Instagram password reset can start from an email address.
> If my info got out, it likely came from Instagram’s side, not mine.
Did you use a burner email account to register? An account that was never used for anything else?
I just checked, and Instagram’s password reset flow allows requesting a reset using an email address, a phone number, or even the username [1]. The username is public information, so triggering password reset emails is relatively easy.
[1] https://www.instagram.com/accounts/password/reset/ (screenshot: https://imgur.com/a/4x5HPLx)
Ahhhhh, no. This account was registered pre hide-my-email days.
Yeah, common surprise point for services that have any form of username recovery from email.
>Congrats to the latest buyer: you bought pure schwag. Whatever value was in that list got milked long before it ended up public.
Nobody is buying your account specifically, they're buying it bulk. At that scale the fact that a percentage of accounts are fake/burner/bots is baked whatever the buyer is expecting. If anything, the bigger issue is bot accounts, not random privacy-oriented people's burner accounts.